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(54) Data encryption/decryption using DES 

(57) An arrangement (6) for encrypting/decrypting data comprising: random access memory (12) for holding 
the data; a processor (10) for processing the data, the processor having a memory map including a first 
portion (12.0) mapped onto the random access memory and a second portion (12.1); and control means (18, 
34, 26) coupled to receive an instruction to write data to an address in the second portion of the memory map 
and in response thereto to write the data in a predetermined perm uted form to an associated address in the 
random access memory, whereby data read from said associated address in the random access memory is an 
encrypted/decrypted version of the data written to said address in the second portion of the memory map. 



FIG. 2 



i 

I 

r 
i 

L 



12*A 



12*1 



12.2 



I 
I 

n 

i 




21 



21 



21 



553 



38 | 40 



12 .0 



12 



2a 



2SL 



21 



16 



o 

CD 

ro 
CO 

CD 

O 
CJI 

> 



BNSDOCIO <fiR S^1Q70SA I 



2/3 




BNSDOCID: <G8 2319705A I > 




BNSDOCID: <G8 _ 2319705A I > 



2319705 



- 1 - 

ARRANGEMENT FOR ENCRYPTION /DECRYPT I ON OF DATA 
AND DATA CARRIER INCORPORATING SAME 

5 FIELD OF THE INVENTION 

This invention relates generally to 
encryption/decryption of data, and to data carriers 
incorporating arrangements for encryption/decryption of 
1 0 data . 



BACKGROUND OF THE INVENTION 

1 5 Electronic devices are commonly used to carry data 

(such as, for example, financial or personal data) which 
must be kept secure from unauthorised access. A typical 
method of preventing unauthorised access to data carried 
in such devices is by the use of a password. 

20 

A typical, known password scheme involves the use of 
the known Data Encryption Standard (DES) to 
encrypt /decrypt the password. In its steps the Data 
Encryption Standard algorithm requires data to be 

2 5 permuted in a predetermined manner. 

The practical implementation of the Data Encryption 
Standard typically requires the presence of extra 
registers and/or additional processing steps to effect 

3 0 the required permutations . 
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SUMMARY OF THE INVENTION 

It is an object of the present invention to provide 
an arrangement for encryption/decryption of data, and a 
5 data carrier incorporating same, in which the above 
disadvantages are overcome or at least alleviated. 

In accordance with a first aspect of the invention 
there is provided an arrangement for 
10 encryption/decryption of data as claimed in claim 1. 

In accordance with a second aspect of the invention 
there is provided an arrangement for 

encryption/decryption of data as claimed in claim 2 . 



15 



20 



In accordance with a third aspect of the invention 
there is provided a data carrier incorporating an 
arrangement for encryption/decryption of data as claimed 
in claim 6 . _ 



BRIEF DESCRIPTION OF THE DRAWINGS 



One data carrier incorporating an arrangement for 

2 5 encryption/decryption of data will now be described, by 

way of example only, with reference to the accompanying 
drawings, in which: 

FIG. 1 shows a data carrier utilising the present 

3 0 invention; 

FIG. 2 shows a block schematic diagram of a 
microcontroller of the data carrier of FIG. 1; and 
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FIG. 3 shows a block schematic diagram of an 
alternative microcontroller which may be used in the 
data carrier of FIG. 1. 

5 

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

Referring firstly to FIG. 1, a smart card data 
carrier 2 is formed of a conventionally-sized plastic 
1 0 card 4, which encapsulates an integrated circuit 

microcontroller 6 . Contacts 8 provide an interface 
between the card's microcontroller 6 and a card reader 
(not shown) . 

1 5 Referring now also to FIG. 2, the microcontroller 6 

comprises a central processing unit (CPU) 10 which is 
coupled to random access memory (RAM) 12 via an address 
bus 14 and a data bus 16. As will be described in more 
detail below, the address space of the CPU 10 is mapped 

2 0 on to five memory ranges 12.0 ($10 to $FF) , 12.1 ($110 to 

$1FF), 12.2 ($210 to $2FF), 12.3 ($310 to $3FF) and 12.4 
($410 to $4FF) . Only the lowest address range 12.0 ($10 
to $FF) contains physical RAM. 

2 5 Four similar address range detectors 18, 20, 22 and 

24 are coupled to the address bus 14. As will be 
described in more detail below, the address range 
detectors 18, 20, 22 and 24 detect whether an address on 
the- address bus is within one of four respective chosen 

3 0 ranges, and to produce a corresponding detector output. 

Four similar logic circuits 26, 28, 30 and 32 (which 
will be described in more detail below) are connected in 
the data bus 16. Four logic AND gates 34, 36, 38 and 40 
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have their outputs connected respectively to the logic 
circuits 26, 28, 30 and 32. The AND gates 34, 36, 38 and 
40 each have one input connected to the output of a 
respective address range detectors 18, 20, 22 and 24. 
5 The AND gates 34, 36, 38 and 40 each have another input 
connected to receive a write enable signal from the CPU 
10 on line 42 . 

As will be described below, the circuitry of FIG. 2 
10 is particularly useful in performing the Data Encryption 
Standard (DES) algorithm. As referenced above, the DES 
algorithm is a well-known algorithm for 
encryption/decryption of data such as passwords and 
cipher keys. Further details of the DES algorithm are 
15 given in National Bureau of Standards Publication 500-20, 
1980 'Validating the Correctness of Hardware 
Irrplementations of the NBS Data Encryption Standard*, 
which is hereby incorporated by reference. 

2 0 As well known, the DES algorithm requires data to be 

permuted in two different pre-defined permutations: a 1 32- 
bit permutation conventionally termed the *p* - 
permutation, and a 48-bit permutation conventionally 
termed the "permuted choice 2" permutation. 

25 

As will be described below, in the microcontroller 6 
the "p* permutation and the "permuted choice 2" 
permutation are performed in hardware, other steps of the 
DES algorithm being performed in software {as is well 

3 0 known) and requiring no further explanation. 

The "p" permutation is performed by combining two 
sub- functions PI and P2 , and the "permuted choice 2" 
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permutation is performed by combining two sub- functions 
-KS1 and KS2. 

The PI sub- function is defined as follows: 







7 


6 


5 


4 


3 


2 


1 


0 


pl 


input byte 0 


01 


02 


03 


04 










pi 


input byte 1 


09 


10 


11 


12 










pl 


input byte 2 


17 


18 


19 


20 










pl 


input byte 3 


25 


26 


27 


28 


- 


- 


- 


- 


pl 


output byte 0 






20 






12 


28 


17 


pl 


output byte 1 


01 






26 




18 




10 


pl 


output byte 2 


02 










27 


03 


09 


nl 


output byte 3 


19 










T 1 

_1_ _L 








The P2 sub- function 
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The KS1 sub-function is defined as follows: 
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In the above table definitions of the PI and P2 sub- 
functions and the KS1 and KS2 sub-f unctions , the bit 
numbering scheme is as described in the above-quoted NBS 
1 0 reference . 

It may also be noted that bits 9, 18, 22, 25, 35, 38, 43 
and 54 in the KS1 and KS2 sub-f unctions are unused, as 
also described in the above-quoted NBS reference. 
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In order to perform the PI sub-function, the CPU 
attempts to write four bytes (0 to 3) of source data (to 
be permuted) to address locations in the memory address 
5 space 12.1 ($110 to $1FF) . The effect of this is 

actually to write permuted data into corresponding memory 
. locations in the address range 12.0 ($10 to $FF) . This 
permutation is achieved as follows. 

1 0 When the address range detector 18 detects that the 

address bus carries an address in this range ($lxx) , it 
produces its output to the AND gate 34. The AND gate 34 
also receives a write enable signal from the CPU 10, and 
produces a permute enable signal to the logic circuit 26. 

15 

Absent a permute enable signal, the logic circuit 26 
passes data along the data bus directly without permuting 
its bits. However, in the presence of a permute enable 
signal produced by its associated AND gate, the logic 

2 0 circuit 26 permutes the individual bits of data on the 

data bus in accordance with the definition given in the 
upper half of the PI table above. The permuted data is 
then written to the physical memory locations at 
corresponding addresses in the range ($10 to $FF) , the 

2 5 most significant character of the attempted address (in 

the range $110 to $1FF) being ignored in actually writing 
the data into physical RAM memory space 12.0. 

The result of this permuted writing is that after 

3 0 all four bytes have been written by the CPU, the permuted 

data can be read from the physical memory space 12.0 ($10 
to $FF) as shown the lower half of the PI table above. 
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Similarly, to the process described above for the PI 
sub- function, in order to perform the P2 sub- function, 
the CPU attempts to write four bytes (0 to 3) of source 
' data (to be permuted) to address locations in the memory 
5 address space 12.2 ($210 to $2FF) . The effect of this is 
actually to write permuted data into corresponding memory 
locations in the address range 12.0 ($10 to $FF) . This 
permutation is achieved as follows . 

1 0 When the address range detector 20 detects that the 

address bus carries an address in this range ($2xx) , it 
produces its output to the AND gate 36. The AND gate 36 
also receives a write enable signal from the CPU 10, and 
produces a permute enable signal to the logic circuit 28. 

1 5 

Absent a permute enable signal, the logic circuit 28 
passes data along the data bus directly without permuting 
its bits. However, in the presence of a permute enable 
signal produced by its associated AND gate, the logic 

2 0 circuit 28 permutes the individual bits of data on the 

data bus in accordance with the definition given in the 
upper half of the P2 table above.. The permuted data is 
then written to the physical memory locations at 
corresponding addresses in the range ($10 to $FF) , the 
2 5 most significant character of the attempted address (in 

the range $210 to $2FF) being ignored in actually writing 
the data into physical RAM memory space 12.0. 



The result of this permuted writing is that after 
3 0. all four bytes have been written by the CPU, the permuted 
data can be read from the physical memory space 12.0 ($10 
to $FF) as shown the lower half of the P2 table above. 
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It will be understood that by performing the PI sub- 
function followed by the P2 sub-function, the "p" 
permutation is achieved, and the "p w permuted data can be 
' read directly from the four corresponding bytes in the 
5 physical memory space 12.0 ($10 to $FF) . 

It will be understood that the PI sub- function uses 
only the upper four bits of each input byte, while the P2 
sub- function uses only the lower four bits of each input 

10 byte, the unused four bits being discarded in each case. 
This allows efficient coding of the DES algorithm in the 
microcontroller 6: since the previous step in the DES 
algorithm is the *sl..s8 switch box lookup table*, which 
returns two switch boxes per byte, the programmer is not 

15 required to mask out the extra four bits (saving code and 
time) before performing the "p" permutation as described 
above . 

Similarly, to the process described above fox the PI 
2 0 and P2 sub- functions, in order to perform the KS1 sub- 
function, the CPU attempts to write four bytes (0 to 3 ) 
of source data (to be permuted) to address locations in 
the memory address space 12.3 ($310 to $3FF) . The effect 
of this is actually to write permuted data into 

2 5 corresponding memory locations in the address range 12 . 0 

($10 to $FF) . This permutation is achieved as follows. 

When the address range detector 22 detects that the 
address bus carries an address in this range ($3xx) , it 

3 0 produces its output to the AND gate 38. The AND gate 38 

also receives a write enable signal from the CPU 10, and 
produces a permute enable signal to the logic circuit 30. 
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Absent a permute enable signal, the logic circuit 3 0 
passes data along the data bus directly without permuting 
its bits. However, in the presence of a permute enable 
' signal produced by its associated AND gate, the logic 
5 circuit 30 permutes the individual bits of data on the 
data bus in accordance with the definition given in the 
upper half of the KS1 table above. The permuted data is 
then written to the physical memory locations at 
corresponding addresses in the range {$10 to $FF) , the 
10 most significant character of the attempted address (in 

the range $310 to $3FF) being ignored in actually writing 
the data into physical RAM memory space 12 . 0 . 

The result of this permuted writing is that after 

1 5 all four bytes have been written by the CPU, the permuted 

data can be read from the physical memory space 12.0 ($10 
to $FF) as shown the lower half of the KS1 table above. 

Similarly, to the process described above for the 

2 0 PI, P2 and KS1 sub- funct ions, in order to perform the KS2 

sub-function, the CPU attempts to write four bytes (0- to 
3) of source data (to be- permuted) to address locations 
in the memory address space 12.4 ($410 to $4FF) . The 
effect of this is actually to write permuted data into 

2 5 corresponding memory locations in the address range 12.0 

($10 to $FF) . This permutation is achieved as follows. 

When the address range detector 24 detects that the 
address bus carries an address in this range ($4xx) , it 

3 0 produces its output to the AND gate 40. The AND gate 40 

also receives a write enable signal from the CPU 10, and 
produces a permute enable signal to the logic circuit 32. 
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Absent a permute enable signal, the logic circuit 32 
passes data along the data bus directly without permuting 
its bits. However, in the presence of a permute enable 
signal produced by its associated AND gate, the logic 
5 circuit 32 permutes the individual bits of data on the 
data bus in accordance with the definition given in the 
upper half of the KS2 table above. The permuted data is 
then written to- the physical memory locations at 
corresponding addresses in the range ($10 to $FF) , the 
10 most significant character of the attempted address (in 

the range $410 to $4FF) being ignored in actually writing 
the data into physical RAM memory space 12 . 0 . 



The result of this permuted writing is that after 
15 all four bytes have been written by the CPU, the permuted 
data can be read from the physical memory space 12.0 ($10 
to $FF) as shown the lower half of the KS2 table above. 

It will be understood that by performing the KS1 

2 0 sub- function followed by the KS2 sub-function, the 

"permuted choice 2" permutation is achieved, and the 1 
"permuted choice 2" permuted data can be read directly 
from the four corresponding bytes in the physical memory 
space 12.0 ($10 to $FF) . 

25 

It will be understood that the KS1 and KS2 sub- 
functions, into which the 48 -bit "permuted choice 2" 
function is split, are 28-bit functions which are spread 
over four bytes with the most significant two bits of 

3 0 each byte unused (i.e., clear). 

It will be understood that necessary interconnection 
of the logic circuitry in the logic circuits 26, 28, 30 
and 32 will be readily apparent since it follows directly 
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from the definitions given in the tables above for the 
sub- functions PI, P2, KS1 and KS2, and so needs no 
further explanation in this description. 

5 It will be appreciated that by utilising the 

hardware permutation and "virtual memory' addressing 
techniques described above, advantages of speed and 
efficiency are obtained over the known technique of 
iir£>lementing the DES algorithm entirely in software. A 
1 0 cor^parison reveals the above-described "hardware* 

embodiment to be more than twice as fast as the known 
software-only technique, and to require some 40% less 
code than the known software-only technique (so requiring 
- less ROM to hold the code) . 

1 5 

It will be appreciated that the increased speed 
advantage of the above-described "hardware" embodiment 
can be "traded-of f * for slower CPU operation (a slower 
clock speed producing lower power consumption) in power 

2 0 sensitive applications. 

It .will also be. understood that the above-described 
"hardware" embodiment is "silicon area" efficient, since 
the extra area required for the additional circuitry 
2 5 necessary is substantially entirely offset by the saving 
in silicon area from reduced need for memory to hold 
code. Hence the above-described "hardware" embodiment 
produces its advantage at little or no cost in 
fabricating the integrated circuit microcontroller. 



3 0 



It will further be understood that, although in the 
above -described "hardware'' embodiment data permutation is 
achieved by writing to a "virtual memory" space and 
reading the permuted data directly from physical memory, 
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an analogous technique is possible in which data 
-permutation is achieved by writing directly to physical 
memory and permuting the data in hardware when reading 
from 'a "virtual memory* space. 

5 

FIG. 3 shows an alternate microcontroller in which 
this analogous technique is used. 

Referring now to FIG. 3, a microcontroller 106 

1 0 comprises a central processing unit (CPU) 110 which is 

coupled to random access memory (RAM) 112 via an address 
bus 114 and a data bus 116. The address space of the CPU 
110 is mapped on to five memory ranges 12.0 ($10 to $FF) , 
12.1 ($110 to $1FF), 12.2 ($210 to $2FF) , 12.3 ($310 to 
15 $3FF) and 12.4 ($410 to $4FF) . Only the lowest address 
range 12.0 ($10 to $FF) contains physical RAM. 

Four similar address range detectors 118, 120, 122 
and 124 are coupled to the address bus 114 . The address 

2 0 range detectors 118, 120, 122 and 124 detect whether an 

address on the address bus is within one of four 
respective chosen ranges, and produce a corresponding 
detector output. 

2 5 Four similar logic circuits 126, 128, 130 and 132 

are connected in the data bus 116. Four logic AND gates 
134, 13 6, 138 and 140 have their outputs connected 
respectively to the logic circuits 126, 128, 130 and 132. 
The AND gates 134, 136, 138 and 14 0 each have one input 

3 0 connected to the output of a respective address range 

detector 118, 120, 122 and 124. The AND gates 134, 136, 
138 and 14 0 each have another input connected to receive 
a read enable signal from the CPU 110 on line 142. 




14 - 

It will be understood that the microcontroller 106 
achieves hardware data permutation in implementing the 
DES algorithm in a manner analogous to that described 
■ above . for the microcontroller 6 shown in FIG. 2. 
5 However, whereas in the microcontroller 6 data 

permutation is achieved by writing data to a virtual 
memory address (and permuting the data in hardware when 
writing) then reading the permuted data directly from 
physical memory, the microcontroller 106 achieves data 
1 0 permutation by writing directly to physical memory then 
reading from a ''virtual memory" space (and permuting the 
data in hardware when reading) . 

It will be appreciated that various other modifications 
15 will be apparent to a person of ordinary skill in the 
art . 



BNSDOCID- <G8 2319705A \ > 



CLAIMS 



1. An arrangement for encrypting/decrypting data 
conprising: 

random access memory means for holding the data; 

a processor for processing the data, the processor 
having a memory map including a first portion mapped onto 
the random access memory and a second portion; and 

control means coupled to receive an instruction to 
write data to an address in the second portion of the 
memory map and in response thereto to write the data in a 
predetermined permuted form to an associated address in 
the random access memory, 

whereby data read from said associated address in 
the random access memory is an encrypted/ decrypted 
version of the data written to said address in the second 
portion of the memory map. 

2 . An arrangement for encrypting/decrypting data 
comprising: 

random access memory means for holding the data;- 

a processor for processing the data, the processor 
having a memory map including a first portion mapped onto 
the random access memory and a second portion; and 

control means coupled to receive an instruction to 
read data from an address in the second portion of the 
memory map and in response thereto to read in a 
predetermined permuted form data from an associated 
address in the random access memory, 

whereby said data read in response to said 
instruction to read data from an address in the second 
portion of the memory map is an encrypted/decrypted 
version of data written to said associated address in the 
random access memory. 
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3. An arrangement for encrypting/decrypting data 
according to claim 1 or 2 wherein the data 

' encryption/decryption is a permutation function in the 
5 DES algorithm. 

4. An arrangement for encrypting/ decrypting data 
according to claim 3 wherein the DES permutation function 
is achieved by performing sequential sub- f unct ions . 

10 

5. An arrangement for encrypting/ decrypting data 
according to claim 3 wherein the DES permutation function 
is the "p" permutation and the sub- functions are arranged 
to leave unused the most significant bits and least 

15 significant bits respectively of data to be permuted. 

6. A data carrier incorporating an arrangement for 
encrypting /decrypting data as claimed in any preceding 
claim. 

20 

7 . An arrangement for encrypting/decrypting data 
substantially as hereinbefore described with reference to 
the accompanying drawings . 

2 5 8. A data carrier substantially as hereinbefore 

described with reference to the accompanying drawings. 
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